net/cert/x509_util_openssl_unittest.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "base/memory/scoped_ptr.h"
   6 #include "crypto/ec_private_key.h"
   7 #include "crypto/openssl_util.h"
   8 #include "crypto/scoped_openssl_types.h"
   9 #include "net/cert/x509_util.h"
  10 #include "net/cert/x509_util_openssl.h"
  11 #include "net/ssl/scoped_openssl_types.h"
  12 #include "testing/gtest/include/gtest/gtest.h"
  13
  14 namespace net {
  15
  16 namespace {
  17
  18 // Verify that a given certificate was signed with the private key corresponding
  19 // to a given public key.
  20 // |der_cert| is the DER-encoded X.509 certificate.
  21 // |der_spki| is the DER-encoded public key of the signer.
  22 void VerifyCertificateSignature(const std::string& der_cert,
  23                                 const std::vector<uint8>& der_spki) {
  24   const unsigned char* cert_data =
  25       reinterpret_cast<const unsigned char*>(der_cert.data());
  26   int cert_data_len = static_cast<int>(der_cert.size());
  27   ScopedX509 cert(d2i_X509(NULL, &cert_data, cert_data_len));
  28   ASSERT_TRUE(cert.get());
  29
  30   // NOTE: SignatureVerifier wants the DER-encoded ASN.1 AlgorithmIdentifier
  31   // but there is no OpenSSL API to extract it from an X509 object (!?)
  32   // Use X509_verify() directly instead, which takes an EVP_PKEY.
  33   const unsigned char* pub_key_data = &der_spki.front();
  34   int pub_key_len = static_cast<int>(der_spki.size());
  35   crypto::ScopedEVP_PKEY pub_key(d2i_PUBKEY(NULL, &pub_key_data, pub_key_len));
  36   ASSERT_TRUE(pub_key.get());
  37
  38   // NOTE: X509_verify() returns 1 in case of succes, 0 or -1 on error.
  39   EXPECT_EQ(1, X509_verify(cert.get(), pub_key.get()));
  40 }
  41
  42 // Verify the attributes of a domain-bound certificate.
  43 // |domain| is the bound domain name.
  44 // |der_cert| is the DER-encoded X.509 certificate.
  45 void VerifyChannelID(const std::string& domain,
  46                      const std::string& der_cert) {
  47   // Origin Bound Cert OID.
  48   static const char oid_string[] = "1.3.6.1.4.1.11129.2.1.6";
  49   crypto::ScopedOpenSSL<ASN1_OBJECT, ASN1_OBJECT_free> oid_obj(
  50       OBJ_txt2obj(oid_string, 0));
  51   ASSERT_TRUE(oid_obj.get());
  52
  53   const unsigned char* cert_data =
  54       reinterpret_cast<const unsigned char*>(der_cert.data());
  55   int cert_data_len = static_cast<int>(der_cert.size());
  56   ScopedX509 cert(d2i_X509(NULL, &cert_data, cert_data_len));
  57   ASSERT_TRUE(cert.get());
  58
  59   // Find the extension.
  60   int ext_pos = X509_get_ext_by_OBJ(cert.get(), oid_obj.get(), -1);
  61   ASSERT_NE(-1, ext_pos);
  62   X509_EXTENSION* ext = X509_get_ext(cert.get(), ext_pos);
  63   ASSERT_TRUE(ext);
  64
  65   // Check its value, it must be an ASN.1 IA5STRING
  66   // Which means <tag> <length> <domain>, with:
  67   // <tag> == 22
  68   // <length> is the domain length, a single byte for short forms.
  69   // <domain> are the domain characters.
  70   // See http://en.wikipedia.org/wiki/X.690
  71   ASN1_STRING* value_asn1 = X509_EXTENSION_get_data(ext);
  72   ASSERT_TRUE(value_asn1);
  73   std::string value_str(reinterpret_cast<const char*>(value_asn1->data),
  74                         value_asn1->length);
  75
  76   // Check that the domain size is small enough for short form.
  77   ASSERT_LE(domain.size(), 127U) << "Domain is too long!";
  78   std::string value_expected;
  79   value_expected.resize(2);
  80   value_expected[0] = 22;
  81   value_expected[1] = static_cast<char>(domain.size());
  82   value_expected += domain;
  83
  84   EXPECT_EQ(value_expected, value_str);
  85 }
  86
  87 }  // namespace
  88
  89 TEST(X509UtilOpenSSLTest, IsSupportedValidityRange) {
  90   base::Time now = base::Time::Now();
  91   EXPECT_TRUE(x509_util::IsSupportedValidityRange(now, now));
  92   EXPECT_FALSE(x509_util::IsSupportedValidityRange(
  93       now, now - base::TimeDelta::FromSeconds(1)));
  94
  95   // See x509_util_openssl.cc to see how these were computed.
  96   const int64 kDaysFromYear0001ToUnixEpoch = 719162;
  97   const int64 kDaysFromUnixEpochToYear10000 = 2932896 + 1;
  98
  99   // When computing too_old / too_late, add one day to account for
 100   // possible leap seconds.
 101   base::Time too_old = base::Time::UnixEpoch() -
 102       base::TimeDelta::FromDays(kDaysFromYear0001ToUnixEpoch + 1);
 103
 104   base::Time too_late = base::Time::UnixEpoch() +
 105       base::TimeDelta::FromDays(kDaysFromUnixEpochToYear10000 + 1);
 106
 107   EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_old, too_old));
 108   EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_old, now));
 109
 110   EXPECT_FALSE(x509_util::IsSupportedValidityRange(now, too_late));
 111   EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_late, too_late));
 112 }
 113
 114 TEST(X509UtilOpenSSLTest, CreateChannelIDEC) {
 115   // Create a sample ASCII weborigin.
 116   std::string domain = "weborigin.com";
 117   base::Time now = base::Time::Now();
 118
 119   scoped_ptr<crypto::ECPrivateKey> private_key(
 120       crypto::ECPrivateKey::Create());
 121   std::string der_cert;
 122   ASSERT_TRUE(
 123       x509_util::CreateChannelIDEC(private_key.get(),
 124                                    x509_util::DIGEST_SHA1,
 125                                    domain,
 126                                    1,
 127                                    now,
 128                                    now + base::TimeDelta::FromDays(1),
 129                                    &der_cert));
 130
 131   VerifyChannelID(domain, der_cert);
 132
 133   // signature_verifier_win and signature_verifier_mac can't handle EC certs.
 134   std::vector<uint8> spki;
 135   ASSERT_TRUE(private_key->ExportPublicKey(&spki));
 136   VerifyCertificateSignature(der_cert, spki);
 137 }
 138
 139 }  // namespace net